Summary

Cisco IOS contains a buffer overflow vulnerability that allows a remote attacker to reload the device or execute arbitrary code on the affected system.

The vulnerability exists in the Firewall Authentication Proxy feature for Telnet and FTP sessions. Only systems with the Firewall Authentication Proxy feature for Telnet and FTP configured on an interface are vulnerable. A remote attacker could exploit this vulnerability by submitting invalid data to the initial username and password request from the firewall. This could result in a boundary error, allowing the attacker to reload the device or execute arbitrary code on the affected firewall.

Exploit code is available.

Patches are available.

Indicators of Compromise

A complete list of vulnerable IOS products is available at the following link: Cisco

Technical Information

The vulnerability exists when the Firewall Authentication Proxy feature for Telnet and FTP sessions processes user authentication credentials. To exploit this vulnerability, the attacker must obtain a TCP connection with the firewall and respond to the auth-proxy authentication prompt.

Analysis

The Cisco IOS Firewall Authentication Proxy for FTP and Telnet sessions allows remote users to gain access to network services based on their access profiles. The Firewall Authentication Proxy resides on a firewall at the perimeter of the local network and allows users to connect to FTP or telnet servers from the Internet after passing through either RADIUS or TACACS+ authentication. However, there is a buffer overflow vulnerability in IOS before that authentication occurs. If the attacker connects to the firewall on the listening port of the firewall authentication proxy, exploitation of this vulnerability could occur.

The first connection is difficult to achieve. Good security practices warrant a default deny ACL list on IP and MAC addresses.
However, most users attempting to access work from home will not have static IP addresses for an access control list. Dial-up users will not, and cable and DSL users typically use DHCP to assign IP addresses. These could change frequently, usually whenever a reboot occurs. At best, administrators could establish an ACL on a MAC address of a DSL or cable modem home user.

If ACLs are not sufficiently strict, anyone who bypasses them could exploit this vulnerability and access at least the DMZ of the affected site. Since no actual authentication is required, only firewalls and ACLs stand between the attacker and the corporate network.

Safeguards

Administrators are advised to apply the appropriate patch.

Administrators are advised to utilize restrictive access control lists.

Administrators are advised to disable the Firewall Authentication Proxy feature for Telnet and FTP sessions if not necessary. The following command disables the feature:

no ip auth-proxy name 'auth-proxy-name' {ftp | telnet}

Administrators are advised to use the Firewall Authentication Proxy feature for HTTP/HTTPS.

Administrators may consider restricting access to trusted hosts using Control Plane Policies.

Vendor Announcements

Cisco has re-released a security advisory to address Cisco bug ID CSCsa54608 at the following link: 66269

US-CERT has released a vulnerability note at the following link: VU#236045

Fixed Software

Cisco customers with active contracts can obtain updates through the Software Center at the following link: Cisco. Cisco customers without contracts can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at tac@cisco.com.

Revision History

Cisco has re-released a security advisory to include additional affected versions and to address the existence of publicly available exploit code.

2005-October-13 21:22 GMT

2

Cisco has re-released a security advisory with updates for IOS 12.2SG, 12.2SEC and 12.2SXF to address the firewall authentication proxy for FTP and telnet sessions buffer overflow vulnerability. US-CERT has released a vulnerability note.

2005-September-26 12:13 GMT

1

Cisco IOS contains a buffer overflow vulnerability in the Firewall Authentication Proxy for FTP and Telnet sessions that could allow a remote attacker to cause a denial of service condition or execute arbitrary code on the affected system. Patches are available.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products